capa logo

Extract capabilities from executable files

capa is the FLARE team's free and open-source tool to identify capabilities in executable files. Triage unknown files, guide reverse engineering, and hunt across a corpus for novel malware. Refer to capa's rule set as an encyclopedia of techniques used in real-world attacks, pivoting across MITRE ATT&CK and Malware Behavior Catalog (MBC) references.

Download Browse Rules
default capa output

Rules Crafted by Experts

capa recognizes behaviors by matching rules crafted by expert reverse engineers.

Rules describe logical combinations of features familiar to human analysts. Things like:

  • API calls, like CreateRemoteThread,
  • integer constants, like 0x100000001b3 = FNV prime,
  • string references, like "ZIG_DEBUG_COLOR".

capa looks for these features within instructions, basic blocks, and functions, having already disassembled the input file. In contrast to YARA, which primarily searches for sequences of bytes, capa rules describe features at the code-level.

Browse Rules Learn the Syntax
capa rule source

What's New

Rule Updates

Tool Updates

v7.4.0 (2024-10-04)

The v7.4.0 capa release fixes a bug when processing VMRay analysis archives and enhances API extraction for all dynamic backends. For better terminal rendering capa now solely relies on the rich library.
The standalone capa executable can now automatically detect installations of relevant third party applications and use their backends (notably, idalib and Binary Ninja). For the extra standalone Linux build we've upgraded from Python 3.11 to 3.12.

v7.3.0 (2024-09-20)

The capa v7.3.0 release comes with the following three major enhancements:

1. Support for VMRay sandbox analysis archives: Unlock powerful malware analysis with capa's new VMRay sandbox integration! Simply provide a VMRay analysis archive, and capa will automatically extract and match capabilities to streamline your workflow. This is the second support for the analysis of dynamic analysis results after CAPE.

2. Support for BinExport files generated by Ghidra: BinExport files store disassembled data into a Protocol Buffer format. capa now supports the analysis of BinExport files generated by Ghidra. Using Ghidra and the BinExport file format users can now analyze ARM (AARCH64) ELF files targeting Android.

3. Introducing the capa rules website: You can now browse capa's default rule set at https://mandiant.github.io/capa/rules. In modern terminals the CLI capa tool hyperlinks to resources on the web, including entries on the capa rules website. Furthermore, https://mandiant.github.io/capa provides a landing page for the capa tool project.

v7.2.0 (2024-08-20)

capa v7.2.0 introduces a first version of capa Explorer Web: a web-based user interface to inspect capa results using your browser. capa Explorer Web was worked on by @s-ff as part of a GSoC project, and it is available at https://mandiant.github.io/capa/explorer/. This release also adds a feature extractor for output from the DRAKVUF sandbox. Now, analysts can pass the resulting drakmon.log file to capa and extract capabilities from the artifacts captured by the sandbox.

New features:

  • webui: explore capa analysis results in a web-based UI online and offline
  • support analyzing DRAKVUF traces
  • IDA extractor: extract names from dynamically resolved APIs stored in renamed global variables
  • cli: add the ability to select which specific functions or processes to analyze

Integrates with Popular Reverse Engineering Tools

capa uses the results of static or dynamic analysis to find the capabilities of programs. The tool can rely on many different analysis backends, including IDA, Ghidra, Binary Ninja, CAPE, DRAKVUF, and VMRay. The capa Explorer plugins provide interfaces for understanding the behaviors in programs, directly within reverse engineering tools.

IDA Pro

Use the capa Explorer IDA Plugin to guide your reverse engineering, zeroing in on the interesting functions by behavior.

Ghidra

Invoke Ghidra in headless mode to collect features for capa, or use the capa Explorer Ghidra plugin to understand key functions.

Binary Ninja

Use Binary Ninja as the disassembler backend, relying on its state-of-the-art code analysis to recover capabilities.

CAPE

Analyze the API trace captured by CAPE as it detonates malware, summarizing the behaviors seen across thousands of function calls.

Download capa

We distribute capa as a standalone executable and as a Python library.

The standalone executable comes ready-to-go with 890+ embedded rules. Use this when analyzing files from the terminal on Windows, Linux, and macOS. There's a quickstart guide here (PDF).

Download standalone

capa is already included with malware analysis distributions like FLARE-VM and REmnux.

The Python library makes it easy to integrate capa into other projects, like our plugins for IDA Pro and Ghidra. Follow the instructions here , which starts with installation it from PyPI like this: 

pip install flare-capa

Here's an example of using capa as a library to process many files in parallel.

capa icon

capa

The FLARE team's open-source tool to identify capabilities in executable files.

Copyright © 2024 Mandiant, Inc. All Rights Reserved.
Licensed under the Apache License, Version 2.0.